We have heard the well-publicized stories of stolen laptops and resulting violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA), and we generally recognize the inherent security risks and potential for breach of unsecured electronic protected health information posed by computer hard drives. We remember to “wipe” the personal data off of our phones or computers before they are disposed, donated, or recycled.

A recent HIPAA settlement offers a costly reminder that other types of office equipment we use regularly have similar hard drives capable of storing confidential personal information.

On August 14, 2013, HHS announced a $1,215,780 settlement with the not-for-profit managed care plan Affinity Health Plan, Inc., stemming from an investigation of potential violations of the HIPAA Privacy and Security Rules relating to an April 15, 2010 breach report filed by Affinity with the HHS Office for Civil Rights (OCR). Affinity’s breach report and OCR’s subsequent investigation revealed that Affinity had impermissibly disclosed the protected health information of up to 344,579 individuals when it returned multiple photocopiers to leasing agents without erasing the photocopier hard drives. Affinity learned of the breach when a representative from CBS Evening News informed the New York health plan that, as part of an investigatory report, CBS had purchased a photocopier previously leased by Affinity and had found confidential medical information on the photocopier’s hard drive. OCR’s investigation indicated that Affinity had failed to assess the potential security risks and implement policies for the disposal of protected health information stored on the photocopier hard drives.

In addition to the financial settlement, the Resolution Agreement includes a corrective action plan (CAP) requiring Affinity to use its “best efforts to retrieve all photocopier hard drives that were contained in photocopiers previously leased by [Affinity] that remain in the possession of [the leasing agent].” The CAP also requires Affinity to conduct a comprehensive risk analysis and implement safeguards to protect electronic protected health information on all of its electronic equipment and systems.

For more than ten years, digital copiers have been capable of storing images of documents. This settlement should serve as a warning to entities and individuals who handle electronic personal health information: any and all equipment capable of storing trace amounts of digital information should be accounted for in risk assessments conducted under the HIPAA Security Rule.  All HIPAA Privacy and Security Policies and Procedures Manuals should be updated to include guidelines for safeguarding protected health information retained on digital copiers, scanners, fax machines and other devices whose primary function may not be data storage.

By Ryan Blaney and Kelly Carroll

Photo of Ryan Blaney Ryan Blaney

Ryan Blaney represents health care, life science, and technology clients in a range of regulatory, enforcement, internal investigative and transactional matters, with particular expertise in privacy law, life sciences and digital health. He also has expertise in regulatory compliance, counseling clients on a…

Ryan Blaney represents health care, life science, and technology clients in a range of regulatory, enforcement, internal investigative and transactional matters, with particular expertise in privacy law, life sciences and digital health. He also has expertise in regulatory compliance, counseling clients on a range of matters, including health care fraud and abuse, third party reimbursement, data breach issues, data privacy and security, and FDA regulatory matters. He has substantial experience in pharmaceutical lifecycle management and competition issues, including the Hatch- Waxman Act and Biosimilars Price Competition and Innovations Act.

Ryan serves information technology companies, public and private health care companies, hospitals and physician organizations, manufacturers, medical device companies, and health plans. He guides venture capital groups, private equity funds, investment banks, and other investors on health care regulatory issues in connection with financing, mergers and acquisitions, and restructuring.

Ryan’s work is greatly informed by his experience as a teacher. Prior to attending law school, Ryan earned a master’s degree in education and taught at an under-resourced Catholic middle school. He is known for his ability to communicate clearly and to coordinate large teams working on complex matters. Outside of his health law practice, Ryan has been repeatedly recognized for his public service and pro bono work. He has successfully handled numerous education-related cases, helped establish three nonprofit organizations and defended qualified recipients of disability benefits.